Hosts Tutorial
This is an introduction to using and fixing the HOSTS file to enable some familiarity, to clarify some general points,
and provide links to assist users wanting to know more, particularly at the entry level to the topic.

Most of us use the HOSTS file everyday without knowing it, and without needing to alter it in any way.
It’s when log problems arise that we need to fix, then a little knowledge comes in handy,
but the volume of detail in finding out about it can often deter us from being useful.
The following was jotted to be useful, rather than give the full and complete knowledge base.>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>HOSTS file..................................................................................................................................................A simple explanation:

A host file entry works in reverse.
e.g. 222.0.0.0 New York City
It directs the name on the right to the IP address on the left.
Your browser will get sent to the IP address 222.0.0.0 on the left.

Quote:

So it's like a traffic sign.
To New York City, take route 222.

I must have read a couple of hundred explanations of hosts files...That is the best yet! [Thanks Suzi!]

This would look like this (in a pretend Hosts file)
222.0.0.0 New York City
and where our PC lives, we call it ‘home’ or ‘localhost’ which looks like this:
127.0.0.1 home
[As in “There’s no place like 127.0.0.1” on geek Tshirts ]

Home base is 127.0.0.1 for your computer, and is a safe destination,
and this is usually the first entry in a real hosts file.
127.0.0.1 localhost

Safe Sites example:
Anything sent ‘home’ is safe…
e.g.
127.0.0.1 instant.death.net….is totally safe, 127.0.0.1 popup.ads.com - - gets you no more ads from that site.
127.0.0.1 hack.heaven.co.uk - - you won’t have to worry about re-directs to that site.
127.0.0.1 driveby.downloads.net - - your browser will not even go to this site.
These sites are now blocked.

216.177.73.139 is www.igetnet.com
Your browser is sent there! This shows as the log entry
O1 - Hosts: 216.177.73.139 ieautosearch
which we fix easily with HijackThis.
................................................................................................................................................

If the HOSTS file has been badly tampered with, it is usually best to rename or delete it,
and then replace it.
Renaming it allows you to copy good entries back into the new HOSTS file if they are needed.
(If you are trying to fix a hosts file, renaming or replacing is much better than
tediously going through and identifying and deleting offending entries by their IP address.)
Rename HOSTS to HOSTS.BAK
or rename HOSTS to HOSTS.OLD
or even HOSTS to OLDHOSTS
Then you can check for any needed entries by asking the user to look at it carefully. E.g.
127.0.0.1 pop3.norton.antivirus
These can be edited back in at a later stage.

Simply deleting the HOSTS file is no problem.
If it is not used by that person, or if it is corrupted,
or you have a perceived problem with Hosts files.
HOSTS files aren’t that critical to Windows operations
– many systems get by happily with the default
127.0.0.1 localhost
as their complete HOSTS file -
but as new exploits arise, an updated and comprehensive Hosts file
is essential for safe internet operations.

Replacing it can be done manually, but replacing it with something very useful, is too easy.
It can be as simple as adding the Spybot HOSTS list from within the advanced program,
(Tools>Hosts File>Add Spybot S&D Hosts List) *This HOSTS list is currently being updated.

* will block advertising/porn/ sites (or any other site you wish) if those entries are included

* will block ads from bad sites (including tracking ads), on any site you happen to go to

* will block IP calls on any port, whether it is HTTP(the web), FTP or whatever

* will bypass any redirects to the listed bad sites,

* will allow you to update changes to domains and IP addresses quickly

* and you can edit in, any site you don’t want accessed, and your browser will never go there- useful for some families

Work your way through a couple of uses on these sites, as well as finding how to re-name and edit your HOSTS file manually, and troubleshooting tips as well.
http://www.mvps.org/winhelp2002/hosts.htm
Another classic site is Gorilla’s http://www.accs-net.com/hosts................................................................................................................................................

With a Hosts file installed, any attempt to go to those blocked sites will give you
the >>‘Cannot find server’ page: This is deliberate - ignore the warning blurb completely.

Quote:

The page cannot be displayed

The page you are looking for is currently unavailable.
The Web site might be experiencing technical difficulties,
or you may need to adjust your browser settings.
---------------------------------------------------------------

Please try the ……etc etc

If you have a serious need to to to a blocked site, you will need to disable the Hosts file temporarily,
or disable that blocked entry temporarily by putting a # at the front of the entry.
Any line with a # at the front is bypassed.
..................................................................................................................................................

It can be very easy to help block some HOSTS file hijacks: >> Set the HOSTS file to read-only.
Open the containing folder, right-click on the file, select Properties,
check the "Read-only" box and click OK.

OR simply check the box on the Spybot Immunize page Lock Hosts function;
and then uncheck it again, to make any changes.

This should stop many simple hijack attempts to rewrite the hosts file.
Note: This may not stop several CWS hosts hijacks.

................................................................................................................................................How does it work?
The short answer is that the Hosts file is like an address book or a list of traffic signs.
When you type an address like www.yahoo.com into your browser, the Hosts file is consulted to see if you have the IP address for Yahoo, i.e. 64.58.76.229 .
If you do, then your computer will "call it" and the site will open.

If not, your computer will ask your ISP's DNS Server for the IP address before it can "call" that site. Most of the time, you do not have addresses in your "address book," because you have not put any there. It goes through your ISP and it all happens automatically.

Why is Dynamic DNS necessary?
IP addresses such as 64.58.76.229 can be difficult for people to remember, so a scheme called DNS (Domain Name Service) was developed. DNS is a database which maps a human-friendly name, a domain name, to an underlying IP address. For instance, DNS allows you to type www.yahoo.com instead of 64.58.76.229 to get to Yahoo!.

Not only are IP addresses difficult to remember, but they may not even stay the same. Most Internet service providers assign dynamic and not static IP addresses to their subscribers. A dynamic IP address means that every time you connect to your ISP or at certain intervals, your computer's IP address may change.

Dynamic DNS service solves these issues by allowing you to use an easy to remember domain name instead of an IP address to help others locate your computer. It also constantly monitors any changes in your machine's IP address and updates the domain name-IP address mapping in DNS.

Special cases:
For those who couldn’t get to Merijn’s site recently; these helped our browsers get there.
216.40.225.12 merijn.org
216.40.225.12www.merijn.org

/Edit: UpdateThese two IPs look to have been reassigned to privacymachine.com (another X-Block site) X-Block was hosting merijn.org during the attacks, and those IPs no longer point to merijn.org
These can now be taken out of your hosts file if it has these entries. [i.e. If you manually put them there.]
Merijn, Shredder and Chronicles can now be found at Http://www.spywareinfo.com/~merijn and no doubt some of the other mirrors listed in these forums under CWShredder.
The new hosts hack is
209.133.47.200 merijn.org

203.161.127.141 www.dcsresearch.com
TDS-3 ..a trojan scanner remover - TDS have authorised the redirection from an old site of theirs [www.dcsresearch.com],
to their new host, 203.161.127.141

Quote:

www.dcsresearch.com is no longer owned by TDS. TDS-3 (if it is installed on your system) adds an entry to your HOSTS file to redirect that address to the correct ip. You can add it yourself like this if you like, 203.161.127.141 www.dcsresearch.com
Or just bookmark http://www.diamondcs.com.au/forum/

Great information - thanks Iceblue!_________________Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.

hello
about this merjing thing just how or what do you do to make it merge?"http://www.mvps.org/winhelp2002/hosts.htm and merging it with yours.
i.e. but not both as there may be conflict problems." _________________in default plain text

hello there CI,
You can simply replace your existing hosts with an update from mvps/accs/hpguru etc
or
backup and copy to notepad; then add the new entries; sort and save as the new hosts file;
how_to_use_hosts
or
look into using HOSTESS to manage a host file database if you want to keep your existing entries and avoid duplications and errors.
HOSTESS

Setting the "Read Only" attribute gives a false sense of security as it is only valid for Win2K/XP non Administrator user accounts. Win95/98/ME are vunerable. CWS are masters at altering "Read Only" HOSTS files.

If you are using a large HOSTS file in Win2K/XP then the DNS Client Service needs to be set to Manual to avoid system slowdowns. The DNS Client Service is an unnecessary Service that is needed very rarely.
http://www.blackviper.com/WinXP/servicecfg.htm

Discussing the "Best" HOSTS file is like discussing religion and politics. Everyone is entitled to their own but some people will insist theirs is the best. Showing information permits people to make up their own mind.

One further backup precaution, is to encrypt your Hosts file using one of SpywareBlaster's tools.

Quote:

Hosts Safe: The Hosts Safe can store encrypted backup copies or snapshots of the Hosts file. These backup copies are stored in the SpywareBlaster folder. Should you ever need to restore a backup copy of your hosts file, simply select it from the displayed list and press the "Restore Saved Backup" button.

and this works for all operating systems. Should your Hosts file become corrupted, it is an easy fix to replace it from a backup. The whole operation takes two seconds from within SpywareBlaster > Tools > Hosts Safe._________________Travel safely!

Hi, very informative article about HOSTS and the use of it, I just have a question.
CalamityKen wrote about using a large HOSTS file in win xp, it could be good to change the DNS from automatic to manual to avoid slowdowns, no problem, I did that, but at what level is the HOSTS file recognized as large? mine is this size: 128kB, it's the HOSTS file from Bluetack with some personal addin's.
regards frederik

Hi Moore, thanks for the answer, I was a little worried, cause I seen some Hosts on the net, and was thinking about merging them, so that I will do soon, cause I can see a well managed Hosts file is a good security advance.
regards frederik